Let's deploy to Openshift

I'd like to share my story about migration an application to Openshift. Also, as a result, I will compare some of the most popular solutions and tools for managing your application inside Openshift. It is the transcription of my presentation at kubernetes SPB meetup #3.

Let's deploy to Openshift

What should we do?

First of all, let's talk about our application. It is out of box enterprise solution, it supports different databases, application servers and integration interfaces with third-party systems. Usually, our clients were installing on dedicated servers, however, we faced the issue. We had to tun the application inside Openshift.

Prerequisites

The application is the product with a long history, it should work out of the box in completely different environments. As a result, there are a lot of page in our installations guides. However, the top level schema is easy as pie, you just should:

Apply DB schema.

Prepare application server configuration.

Install your license.

Initialize the application.

Unfortunately, the world is cruel, there were some important prerequisites.

We could build the application only at a special Jenkins slave, because of security restrictions

There was no access from the client's Openshift installation to the private developers' docker registry.

We were not able to re-use existing docker images, because they were created for developing & testing needs only.

There were ansible playbooks for application deployment on VMs.

Ansible-container demo

Ansible Container is an open source project that aims to enable the automation of the entire container build, deployment and management process. Best of all, it uses the same simple, powerful and agentless Ansible automation language that you're already using, ensuring you can automate the entire application lifecycle.

We already had written some Ansible roles for installing the application at VMs, so we reused them with ansible-container. Ansible container is a toolset for building containers. I’m not sure that it’s really good toolset, however it allows:

There is no ability to use chroot, sudo inside Openshift by default, because of security. Just read CVE-2019-5736.

For security reasons Openshift be default also generate random UID for each container, in other words openshift ignores the USER option from a Dockerfile.

The main point is that ansible-container helped us to create a demo very fast, because of reusing.

Multiple containers demo

The first demo container was built via ansible-container. It was good enough for the demo, however, we decided not to use it. We split the monolith container into different:

We used the original Openshift PostgreSQL container without any modifications.

We built the application stateless container.

However, it wasn't clear to initialize the database? We found a great article about PODs life inside kubernetes. So, we decided to use init container for database initialization.

Initialize the application

As I mentioned before, the application should work out of the box in completely different environments, support different application servers/databases and integration interfaces with third-party systems.

There are a lot of ways to initialize the application:

Pass configuration via environment variables. This means add all our documentation/knowledge about how to initialize the application for each use case into each container. It doesn't sound good.

Use start hook, this is approximately the same as the first one.

Initialize during provision to Openshift.

Use an external container with individual configuration for each use case.

We chose the last one, we created additional replication controller for initializing the application? Really?

We read the documentation again.

A pod (as in a pod of whales or pea pod) is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

POD is a group of the containers. As a result, we decided to run 3 containers in an application POD

Init container for a PostgreSQL initialization.

The application container.

Application initialization container.

This approach allows to store our configuration as a code, there are two interesting results: the application configuration is testable and reproducible.

Ansible k8s module

You care about removing. If you want to remove something, then you must declare it.

You care about creating order. You should deploy the application before initialization.

Ansible Playbook Bundle

An Ansible Playbook Bundle (APB) is a lightweight application definition (meta-container). They are used to define and deploy complex groups of applications, deployment configs, deployments, and services to an OpenShift Origin cluster running the Ansible Service Broker. APBs offer more power and simple configuration by leveraging the power of Ansible. APBs have the following features:

The main idea is that you pack all needed thing into a container and run the container inside Openshift. Ansible Playbook Bundle

Pros:

Bundles everything.

Testable and reproducible.

Service catalogue integration.

Cons:

You need admin permissions.

Documentation sometimes is out of date.

Result

One one hand I don't want to be the final authority, but on the other hand, I'd like to share my point of view. There is no silver bullet exists.

if you don't plan provide your application as a service then Ansible k8s module is your choice.